Practical Car Hacking

3rd - 5th April 2019 | 3 Days

TRAINER

Guillaume Heilles

OBJECTIVE

In the last few years, we have seen many new attacks on cars, but this environment is still hard to get into mainly because the tools are different from classical reversing or hacking tools.

In this training, the car hacking tools will be presented along with many practical sessions to make sure the attendees will be able to redo the attacks later on. We will provide the necessary CAN tools and perform the attacks on real cars. We will also cover the basic theory about the CAN bus, so that the attendees can understand what is going on.

*Special gift: attendees will be given a CAN transceiver / controller and an OBD cable to be able to replay the attacks using any microcontroller, as soon as they come back. They will need to bring a microcontroller board of their choice during the training to connect to their free CAN transceiver / controller. Any SPI enabled microcontroller should be compatible, but the faster the better! The microcontroller may or may not have a CAN interface, we will handle both cases.

Autosar: what is it, where does it come from ? Presentation of its architecture

The security modes of an ECU

Normal

Security session

Factory session

Practice session: understanding an ECU's PCB

Breaking into security sessions

Brute force

Side channel attacks

Reverse engineering

of the ECU's firmware

of a diagnostic software

Practice session: write a brute-forcer

Discovery of CAN messages for your car

Understanding UDS standard messages

Discovering proprietary messages

Practice session: capturing CAN messages from a professionnal diagnostic device

Replay attacks

Replaying CAN messages

Practice session: open the doors of your car

CAN spoofing

Is there a message integrity?

What are message counters

Practice session: modify the speedometer

CAN fuzzing

Disclaimer

Analyzing captured messages

Custom fuzzer

Practice session: fuzzing a specific ECU

ECU reprogramming

Dumping the firmware

JTAG, UART, SWD, ICSP, SPI

Flash resoldering

Quick analysis of a firmware

Reprogramming the firmware

Practice session: dumping a firmware

ECU firmware reverse engineering

Architecture of a legacy firmware

Architecture of an Autosar firmware

Finding the right entry points

Practice session: reversing a firmware

Opensource tools and references

Candump

Canmonitor

Where to find other tools

Other busses

LIN

FlexRay

Ethernet

WiFi

USB

3G

Firmware Reverse Engineering: Methodology

Finding the base address

Identifying code and data

Checking the cross-references

Static resolution of function pointers

Firmware Reverse Engineering: dynamic analysis

What do we know about the firmware ?

Collecting information

Firmware Reverse Engineering: Identifying known assets

UDS / KWP commands

UDS / KWP error codes

CAN database and handlers

Reversing a specific function

Security Session Algorithms

Firmware upload/download

Others

Learning a new CPU architecture

Basic concepts of assembly language

IDA helpers

The different kinds of datasheets and what to look for

Practice, practice, and practice

Real world case studies will illustrate the previous points

ECU on Tricore architecture

ECU on PowerPC architecture

ECU on v850 architecture

AUTOSAR ECU

Non-AUTOSAR ECU

Who should attend?

Security Researchers

Car equipments designers

Hackers interrested in cars

Prerequisite Knowledge:

Basic knowledge of programming (C, python)

Basic knowledge of Linux

Basic knowledge of firmware reversing is a plus, but not required

Hardware/Software Requirements:

Laptop with WiFi

SSH client

A reverse engineering software is a plus

A smartphone with Torque Free installed

ABOUT THE TRAINER

Guillaume Heilles is a security engineer at Quarkslab. He's mainly focused on hardware attack s on IoT devices, but also on reverse engineering and exploitation. He has presented the Hardware CTF at hardwear.io in 2017, 2018 & a talk on How to drift with any car at 3r4th CCC 2017.